+
+int CKMLogic::readMultiRow(const Name &name,
+ const Label &ownerLabel,
+ DataType dataType,
+ DB::Crypto & database,
+ DB::RowVector &output)
+{
+ if (dataType.isKey())
+ {
+ // read all key types
+ database.getRows(name,
+ ownerLabel,
+ DataType::DB_KEY_FIRST,
+ DataType::DB_KEY_LAST,
+ output);
+ }
+ else if (dataType.isChainCert())
+ {
+ // read all key types
+ database.getRows(name,
+ ownerLabel,
+ DataType::DB_CHAIN_FIRST,
+ DataType::DB_CHAIN_LAST,
+ output);
+ }
+ else
+ {
+ // read anything else
+ database.getRows(name,
+ ownerLabel,
+ dataType,
+ output);
+ }
+
+ if(!output.size()) {
+ LogDebug("No row for given name, label and type");
+ return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
+ }
+
+ return CKM_API_SUCCESS;
+}
+
+int CKMLogic::checkDataPermissionsHelper(const Credentials &cred,
+ const Name &name,
+ const Label &ownerLabel,
+ const Label &accessorLabel,
+ const DB::Row &row,
+ bool exportFlag,
+ DB::Crypto & database)
+{
+ PermissionMaskOptional permissionRowOpt =
+ database.getPermissionRow(name, ownerLabel, accessorLabel);
+
+ if(exportFlag)
+ return m_accessControl.canExport(cred, row, PermissionForLabel(accessorLabel, permissionRowOpt));
+ return m_accessControl.canRead(cred, PermissionForLabel(accessorLabel, permissionRowOpt));
+}
+
+Crypto::GObjUPtr CKMLogic::rowToObject(
+ UserData& handler,
+ DB::Row row,
+ const Password& password)
+{
+ Crypto::GStore& store = m_decider.getStore(row);
+
+ Password pass = m_accessControl.isCCMode() ? "" : password;
+
+ // decrypt row
+ Crypto::GObjUPtr obj;
+ if(CryptoLogic::getSchemeVersion(row.encryptionScheme) == CryptoLogic::ENCRYPTION_V2) {
+ handler.crypto.decryptRow(Password(), row);
+
+ obj = store.getObject(row, pass);
+ } else {
+ // decrypt entirely with old scheme: b64(pass(appkey(data))) -> data
+ handler.crypto.decryptRow(pass, row);
+ // destroy it in store
+ store.destroy(row);
+
+ // import it to store with new scheme: data -> pass(data)
+ Token token = store.import(row.dataType,row.data, pass);
+
+ // get it from the store (it can be different than the data we imported into store)
+ obj = store.getObject(token, pass);
+
+ // update row with new token
+ *static_cast<Token*>(&row) = std::move(token);
+
+ // encrypt it with app key: pass(data) -> b64(appkey(pass(data))
+ handler.crypto.encryptRow(row);
+
+ // update it in db
+ handler.database.updateRow(row);
+ }
+ return obj;
+}
+
+int CKMLogic::readDataHelper(
+ bool exportFlag,
+ const Credentials &cred,
+ DataType dataType,
+ const Name &name,
+ const Label &label,
+ const Password &password,
+ Crypto::GObjUPtrVector &objs)
+{
+ auto &handler = selectDatabase(cred, label);
+
+ // use client label if not explicitly provided
+ const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+
+ if (!isNameValid(name) || !isLabelValid(ownerLabel))
+ return CKM_API_ERROR_INPUT_PARAM;
+
+ // read rows
+ DB::Crypto::Transaction transaction(&handler.database);
+ DB::RowVector rows;
+ int retCode = readMultiRow(name, ownerLabel, dataType, handler.database, rows);
+ if(CKM_API_SUCCESS != retCode)
+ return retCode;
+
+ // all read rows belong to the same owner
+ DB::Row & firstRow = rows.at(0);
+
+ // check access rights
+ retCode = checkDataPermissionsHelper(cred, name, ownerLabel, cred.smackLabel, firstRow, exportFlag, handler.database);
+ if(CKM_API_SUCCESS != retCode)
+ return retCode;
+
+ // load app key if needed
+ retCode = loadAppKey(handler, firstRow.ownerLabel);
+ if(CKM_API_SUCCESS != retCode)
+ return retCode;
+
+ // decrypt row
+ for(auto &row : rows)
+ objs.push_back(rowToObject(handler, std::move(row), password));
+ // rowToObject may modify db
+ transaction.commit();
+
+ return CKM_API_SUCCESS;
+}
+
+int CKMLogic::readDataHelper(
+ bool exportFlag,
+ const Credentials &cred,
+ DataType dataType,
+ const Name &name,
+ const Label &label,
+ const Password &password,
+ Crypto::GObjUPtr &obj)
+{
+ DataType objDataType;
+ return readDataHelper(exportFlag, cred, dataType, name, label, password, obj, objDataType);